IntSights' Blog

The Top Threat Actors Targeting Financial Services Organizations

“If you know the enemy and know yourself, you need not fear the result of a hundred battles." This is quote from Sun Tzu's famous book, The Art of War. To defeat your enemy, you must know your enemy, and the same goes for the world of cyber security. The financial services industry is the most-attacked industry by cybercrime groups. These groups have varying capabilities, TTP’s (Tools, Techniques & Procedures), modus operandi and more. When attacking the financial sector, they focus on fraud, burglarizing ATMs, executing transactions through the SWIFT systems and penetrating intranets of financial organizations through the use of banking malware.

Knowing your cyber-adversaries can help you more effectively defend against their attacks. This post discusses the key motivations and supporters behind cybercrime groups, and lists the top groups that target financial services organizations.

Cybercrime Motivations

Every attack starts with a motive, and understanding your attacker's motive can help you strategically defend yourself. Some hackers hack for financial profit or for information that is worth money. Some hack to satisfy their egos or gain peer recognition. Some hack alone, and some hack in groups. But many hackers, or more accurately “hacktivists,” join groups like Anonymous in order to demonstrate their dissatisfaction with powerful organizations, such as corporations and governments who fail to share their world views. These hackers don’t consider themselves to be bad actors. They see their activity in a positive light, viewing themselves as contributors to a greater body of knowledge, and often hacking without a clear vision of the second-order effects of their actions.

Nation-State Attackers

Another category of hacker supports nation-state strategy by operating in the cyber domain. These hackers are difficult to categorize, since they may be directly employed by an arm of a national government or may be from an organized crime entity employed by a national government. Think of recent hacks like JP Morgan Chase, which was attributed to an undefined group in Russia. Understanding the motivation of hackers and the organizations whom they are associated with is essential to understanding their tactics.

Knowing one’s enemy is a fundamental concept in kinetic warfare and is equally important, albeit more difficult, in the cyber environment.

It is valuable to explore nation-state, and nation-state-sponsored APTs, because they generally have deep resources and their collective motivations run across the spectrum. Because nation-state APTs are funded extremely well relative to small groups and individuals, they can be particularly formidable adversaries for other countries and for commercial industries, regardless of vertical. In short, nefarious nation-state-sponsored cyber activity can have devastating effects on a country’s national security and its economy. All nation-state groups are not created equal, and like individual hackers, each has a different motivation and level of cyber capability. As we look at the cyber terrain from a global perspective, we see several countries that surface in the media most often: China, North Korea, Russia, Iran and the US.

Top Cybercrime Groups Targeting Financial Organizations

Money Taker

Country: Russia

Threat Level: High

Level of Sophistication: High, the group is known for their self-developed attacking tools, customization of public tools for their needs, tools for erasing footprints, and malware that will run even after rebooting.

Carbanak

Level of Sophistication: High, the group is considered to have a sub-state capability. The types of malware that the group uses provide a wide range of possibilities, including threat of authorizations, disabling AV tools, threat of credit cards details and personal information, seizing control over R&D and more.

Ratankba / QuickRide – tool for collecting information from a computer, it also can download and upload executable files

Enigma Protector – tool used to protect executable files

SilverLight – tool used to exploit vulnerabilities in Flash

Recon – scanning tool used to identify systems of interest

Attributed Campaigns

The attack on sony Pictures

WannaCry ransomware attack on multiple organizations around the world • Theft of $12 M from Banco del Austro in Ecuador

Theft of $1 M from Tien Phong Bank in Vietnam – SWIFT attack

Theft of $81 M from the Central Bank of Bangladesh

Theft of $60 M from FEIB Bank in Taiwan

Theft of $5 M from various banks in Nepal

Conclusion & Further Reading

We hope this information helps you familiarize yourself with some of the key threat actors that may be targeting your organization. As we've mentioned above, knowing your adversary and their motivations can help you make the right strategic investments around tools and process to effectively defend yourself.

Itay Kozuch is the Director of Threat Research at IntSights. He is a cybersecurity expert with over a decade of experience managing cyber-security and threat research. Prior to IntSights, Itay served as a Manager and Head of Cyber Technologies at KPMG. He previously led cyber projects and served as a CISO for major companies in Europe, West Africa and Central America.

Revolutionizing cybersecurity with the first of its kind enterprise threat intelligence and mitigation platform that drives proactive defense by turning tailored threat intelligence into automated security action.